The perhaps biggest coup this month is the purchase of Twitter by entrepreneur Elon Musk. This goes hand in hand with a recurring debate that has been going on for years: if a private individual has the data of millions of users in their hands, what can they do with it?
This has always been a cause for concern, because in Germany in particular, data protection is written with four letters: GDPR. This is intended to protect people's private data in particular and also applies to platforms such as Twitter, Facebook, etc. However, they keep squirming around it - with intransparent paragraphs in their privacy policy or, in the case of Twitter, the declaration that the profile owners are also responsible for protecting the data.
In the end, all of this nonsense means that very little is known about the amount of data actually collected, analyzed, and sold by social apps.
Not all apps are the same!
Collecting user-related data is part of daily business in the age of the Internet. Some apps require data, such as location or certain personal details, in order to send notifications to the user, for example. In the case of the Corona Warn app, for example, this was specifically the notification of an increased Corona risk.
Even before the app was released, however, voices were raised here that were rather critical of the collection of this data - this could, of course, also have had something to do with the underlying mood during the pandemic.
Nevertheless, the negative attitude of many people towards the Corona Warn app illustrates a widespread problem with which companies also have to struggle internally: Users privately like to give their data to apps like Instagram, Facebook and Twitter, where it is used for targeted advertising and the promotion of content that 'suits their tastes.' Here, the following question is often not asked: where does my data end up and what is done with it? In addition, many available apps do not even have a privacy policy. Since the fun factor is in the foreground, however, and one cannot use these apps without these consents and the attitude exists that one 'has nothing to hide anyway,' consents will be granted to the apps.
On the other hand, many smartphone users invoke the right to protect their personal data only when a work app is to be installed or, as in the case of the Corona Warn app, when there is an obligation behind it.
Of course, everyone can decide for themselves how and where data is entered but there are sometimes glaring gaps in the knowledge of how much data is actually collected and analyzed. Nevertheless, there are sometimes glaring gaps in the knowledge of how much data is actually collected and analyzed. Accordingly, there is a great deal of incomprehension when certain apps are not allowed to be used at work.
Ensuring data protection: Only through bans?
The answer to this is short but painful: yes. Of course, we're not talking about banning private after-work enjoyment here, but about banning certain apps in a corporate context. If employees are allowed to use their devices privately, it must always be ensured which apps end up on the device.
Of course, it is almost impossible to check the security policies of every single app available in the App Store or the Google Play Store. Also, as a system administrator in the company, you are always torn: on the one hand, the Play Store is needed for many apps to pull updates, on the other hand, of course, not all apps should be freely available. You can be sure of this if you manage the app store with the help of an MDM and, for example, set it up so that every app that is to be downloaded must first be approved by the administration.
With this model, individual apps should be checked beforehand:
- Do they have a privacy policy?
- If so, what specific data is collected?
- Can the privacy policy still be viewed after the app has been installed and can it be changed if necessary?
- Is data passed on to third parties?
- Where is it programmed?
If you cannot clearly assess whether this applies to an app you are thinking about approving, then we tend to advise against its use in a corporate context. The absolute worst case scenario would be that an app gains access to stored data, e.g. patient data, and passes it on.
If you do not want to take any risk at all, then the App Store and Google Play Store can also be banned. In this case, the apps needed for work must be made available as APKs.
Raise awareness - protect data better
One thing is certain: we should not leave our data to the tech moguls of this world. It is therefore also essential to conduct comprehensive training on data protection for all new employees and to explicitly address the use of apps in a private and professional context.
Furthermore, with an MDM (Mobile Device Management System), you can also ensure, beyond the written assurance of the employee, that apps whose use is not desired (and therefore not permitted) are not installed on the devices. We would be happy to advise you on this and develop a personal strategy!